The heath authority is in the process of sending out notifications to all of the suspected victims and next of kin about the potential privacy breach, said a release the Nova Scotia Health Authority. - Ryan Taplin / File

Medical records of 2,841 people could be compromised after a Nova Scotia Health Authority employee recently fell victim to an email scam, the health authority said on Monday.

The NSHA is in the process of sending out notifications to all the suspected victims and next of kin about the potential privacy breach, said spokeswoman Carla Adams.

The employee was the victim of a phishing attack after receiving an email appearing legitimate, said Adams. The employee clicked on a link in the email enabling the attacker to access the contents of the employee’s inbox, which contained the thousands of medical records, said Adams. But she said it’s not known whether the attacker accessed those files.

“So we are alerting that there was a potential breach,” she said. “We apologize to anyone whose private information may have been viewed and who entrusts our organization and its people with care of their health and safeguarding of their personal health information.”

Matt Saunders, a Halifax lawyer specializing in cybersecurity and privacy law, said people have a legitimate reason to question the province’s data protection systems and whether provincial government staff are being adequately trained to spot and prevent what have become repeated breaches of people’s medical records.

“The public has a right to know what training is available to public employees who might be handling that information, that should be front-and-centre,” said Saunders. “Government employees should not be clicking on those links and not be making those mistakes.”

Besides the risk of identity theft, there are other potentially serious issues that could result from private medical records being compromised, he said.

“Those records contain information that is highly sensitive that an individual, simply from a privacy perspective, would not want their employers to know, may not want their family members to know, certainly not wanting the public at large to know that information and particularly cybercriminals.

“Some people equate data as the new oil and protecting personal information and data is so critical to everybody’s daily life, with respect to social media or online commerce, or whether it’s having your medical file updated. One would expect that the legislation and the resources available are appropriate and extremely private data is protected properly.”

Catherine Tully, the province’s information and privacy commissioner, released her annual report last week, showing there were at least 865 privacy breaches of medical records between April 1, 2018 and March 31.

“Without important modernizations to our laws, Nova Scotia is not prepared for the risks and opportunities that the digital age presents,” stated Tully in her review.

“With each passing day, Nova Scotia falls farther behind other provinces and other democracies. It will take courage and determination on the part of politicians and likely a push from the public to bring our access and privacy laws into the 21st century.”

Progressive Conservative health critic Karla MacFarlane said the latest breach is cause for concern as the Liberal government prepares to move to a One Person One Record system.

MacFarlane also pointed to Auditor General Michael Pickup’s 2018 performance audit in which he cited significant risks with the province’s information technology management.

“Now is the time for the Liberals to take a long look at how they handle the health information of Nova Scotians,” said MacFarlane.

“This government is planning to implement the One Person One Record system and they can’t even be trusted with the information they have now.”

Adams said the Office of the Information and Privacy Commissioner of Nova Scotia had been notified of the breach.

She said health authority staff are subjected to rigorous cybersecurity policies and training, including confidentiality agreements signed by all staff, and standard orientation regarding privacy across the province as well as ongoing in-person education for managers and front-line staff about cyber scams and phishing emails.